Access logs analysis @Tomcat

Question

We have the following access logs pattern enabled in the server.xml file pattern="%h %H %l %u %t "%r" %s %b location: %{location}o".

Could someone please help understand the parameters in the pattern followed by the analysis from the logs mentioned below.

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:02 -0400] "GET / HTTP/1.1" 200 1150 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:03 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:03 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:09 -0400] "GET / HTTP/1.1" 200 1150 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /favicon.ico HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /favicon.ico HTTP/1.1" 200 21630 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /favicon.ico HTTP/1.1" 206 1 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:10 -0400] "GET /favicon.ico HTTP/1.1" 206 4982 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:18 -0400] "GET /prweb/PRServlet HTTP/1.1" 500 2375 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:18 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:27 -0400] "GET /prsysmgmt HTTP/1.1" 302 - location: /prsysmgmt/

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/ HTTP/1.1" 200 436 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/getnodes.action HTTP/1.1" 200 1664 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/js/global.js HTTP/1.1" 200 4295 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/nodeframes.action?action=frameTop HTTP/1.1" 200 2736 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/jsp/services2/DisplayWelcome.jsp HTTP/1.1" 200 503 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/js/global.js HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/js/expcollapse.js HTTP/1.1" 200 3586 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/images/blueCollapse.gif HTTP/1.1" 200 173 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/images/pega_home.gif HTTP/1.1" 200 663 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/css/styles.css HTTP/1.1" 200 3080 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/images/pega_add.gif HTTP/1.1" 200 1145 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:46:28 -0400] "GET /prsysmgmt/css/desktop.css HTTP/1.1" 200 111141 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:44 -0400] "GET / HTTP/1.1" 302 - location: https://10.100.141.21:8087/

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:44 -0400] "GET / HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:44 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:46:44 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:47:14 -0400] "GET / HTTP/1.1" 302 - location: https://10.100.141.21:8087/

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:47:14 -0400] "GET / HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:47:14 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:11:47:14 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:18 -0400] "GET / HTTP/1.1" 302 - location: https://10.100.141.21:8087/

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:20 -0400] "GET / HTTP/1.1" 200 1150 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:20 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:21 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:28 -0400] "GET /psysmgmt HTTP/1.1" 302 - location: https://10.100.141.21:8087/psysmgmt

10.103.64.119 HTTP/1.1 - - [03/Apr/2018:11:47:30 -0400] "GET /psysmgmt HTTP/1.1" 404 1078 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:00:44 -0400] "GET / HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:00:45 -0400] "GET /prweb/PRServletLDAP2 HTTP/1.1" 500 2375 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:00:45 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:01:00 -0400] "GET /prweb/PRServlet HTTP/1.1" 500 2375 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:01:00 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:02:49 -0400] "GET /prweb/PRServlet HTTP/1.1" 500 2375 location: -

10.103.62.207 HTTP/1.1 - - [03/Apr/2018:12:02:49 -0400] "GET /prweb/diagnostic/status_fail.gif HTTP/1.1" 304 - location: -

Answer 1

The pattern fields are explained in the documentation

It appears the pattern you are using is not so good, although we don't know what you want to log exactly. A dev server is not a prod server, and you might have different configs on different environments.

I won't repeat the documentation, but I will just say that - means that this field contains no information. %u is only used when you authenticate users and %l is never used. Probably you don't need both of them, if you don't have security-constraints configured.

You are logging location with location: %{location}o , but the Location header is only returned by the server when you are redirecting a client with a 301 or 302 response. For which reason it is set ? Dunno.

The common practice, if you don't need anything special, is to rely on the very well known patterns called common or combined, the latter being the preferred one for historical reasons (log analysis tracing back the user activity). To activate one or the other, as the doc says, just use pattern="combined"